Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-11-2024 19:45

General

  • Target

    107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe

  • Size

    4.1MB

  • MD5

    b93004c132f8750522b7ef4097c3ca47

  • SHA1

    c97e9f8203ce5dc89db93e734fea64dd8330e81b

  • SHA256

    107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222

  • SHA512

    8bdc2c4bc22243b578e0f06538f7acadfeee2fc6aff998b2b694866ce614459df28dd666e5161c6a5dee5884b119bbe4c8b4afab772c63a968d12454c5c03bab

  • SSDEEP

    49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBYB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpLbVz8eLFcz

Malware Config

Signatures

  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe
    "C:\Users\Admin\AppData\Local\Temp\107b807652580f53303baae740192217735f0360922122dc329941a5cf5f9222.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:4072
    • C:\SysDrvZ9\devdobloc.exe
      C:\SysDrvZ9\devdobloc.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:3920

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MintXL\dobdevloc.exe

    Filesize

    4.1MB

    MD5

    e3d42ce709ba30e8ec12030e77dd2759

    SHA1

    b49dd3f2b896e1e742c3215f6ca5bd081913102d

    SHA256

    72a9f3126038b3cafbb53fe7167ce7555856030c39f0193567d04be7d235c42a

    SHA512

    9d20edda519a734ea35d4244d5d40e9c0517686aa12551cc1978d15d40eeed8c754253c09b8c1ebb0b57b2510c5d37fc84796090215546410df07fce1f73cf69

  • C:\MintXL\dobdevloc.exe

    Filesize

    1.4MB

    MD5

    ccede89232f164881cdeb3c62ae98f4f

    SHA1

    67cb5ebee01c039808a0862b8eae4433f60fa76e

    SHA256

    1da05bdbbd22d72749402d4414cfb3a31e1cb025b3168ff580643b7df8480c4a

    SHA512

    824afaa624648e73e5eee695b0ce0156608a7920c519e55b198b3b35a679501767c74069926fdbd36cfeb750aa7e2ee34258964f0ec75d367714e5bf3bffc295

  • C:\SysDrvZ9\devdobloc.exe

    Filesize

    4.1MB

    MD5

    2a2d4c56dc545dbd1235b3de74df0308

    SHA1

    128049efa25c4d5ec038092f742c4c7928f79a9e

    SHA256

    d4f9becd8d59ab06b887e2f66fe383b9418b6d804602e3d0cd51c5ab5d44f738

    SHA512

    223ce0eb356eda1022671cc81fe7c1a6ce71746eac696f1924bf08d01d3c89be3f6a60bdfe4ad6202d02fb192acaa4622cc088749a3ab7f9c6b81b8b094d2c46

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    207B

    MD5

    c8d522c77f5ddef15b8f2db4a0d8423b

    SHA1

    e4a85cb23a6fbb77d4f758a2603e61ebf9cbbd6f

    SHA256

    ec0ce132a83cdaf3c19836af63c1b5553374d19d4f5b066552cf16962b39523d

    SHA512

    efc37cf4685b40a7c3c60b88fd448ad2a915997afb8fcc35167e90aa3aa447f0acf6e43fe135f1eed6203d2d865812d979bfd2867bf6a3cbec8b198a8d9fda17

  • C:\Users\Admin\253086396416_10.0_Admin.ini

    Filesize

    175B

    MD5

    854c232a225269e045136916e2759f2a

    SHA1

    564348ad6adce6180bda0ec75a03a87556a3cd6f

    SHA256

    f6d944c370540b226e5881c645fb3bb8426f423859a6fa3599a4c374890a3e4d

    SHA512

    fc280dfb61ef4cdb6c7250bc52d3554656ff4c2b8bb8a26218eed7591ba91dfd372a0c63dd6321b22a7cf466002478c7ffc18acc426595ad6c45eddb10d28076

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysdevbod.exe

    Filesize

    4.1MB

    MD5

    98aefb490082e8457012126b9c0035ae

    SHA1

    8cc8f9fcb9726de516c3afc8a4d32f320b059e26

    SHA256

    2b81eb5ec73557f5ea7ebebeb92ca9083da50c6dc2dd2d6edc0cb04ae3d9da98

    SHA512

    81307fddbe216d08744bf42649de0b07420e8fbe57f0f6f72d62d1f590a0d838ea562c50f3d3ed005c94fb87cb2f506880cb1c6d8ac2bd3d9a8c7c7eb141f846